|European Commission – Press release
EU negotiators agree on strengthening Europe’s cybersecurity
Brussels, 10 December 2018
This evening, the European Parliament, the Council and the European Commission have reached a political agreement on the Cybersecurity Act which reinforces the mandate of the EU Agency for Cybersecurity, (European Union Agency for Network and Information and Security, ENISA) so as to better support Member States with tackling cybersecurity threats and attacks.
The Act also establishes an EU framework for cybersecurity certification, boosting the cybersecurity of online services and consumer devices.
Vice-President Andrus Ansip, in charge of the Digital Single Market, said: “In the digital environment, people as well as companies need to feel secure; it is the only way for them to take full advantage of Europe’s digital economy. Trust and security are fundamental for our Digital Single Market to work properly. This evening’s agreement on comprehensive certification for cybersecurity products and a stronger EU Cybersecurity Agency is another step on the path to its completion.”
Commissioner Mariya Gabriel, in charge of Digital Economy and Society, added: “Enhancing Europe’s cybersecurity, and increasing the trust of citizens and businesses in the digital society is a top priority for the European Union. Major incidents such as Wannacry and NotPetya have acted as wake-up calls, because they dearly showed the potential consequences of large-scale cyber-attacks. In this perspective, I strongly believe that tonight’s deal both improves our Union’s overall security and supports business competitiveness.”
Proposed in 2017 as part of a wide-ranging set of measures to deal with cyber-attacks and to build strong cybersecurity in the EU, the Cybersecurity Act includes:
- A permanent mandate for the EU Cybersecurity Agency, ENISA, to replace its limited mandate that would have expired in 2020, as well as more resources allocated to the agency to enable it to fulfil its goals, and
- a stronger basis for ENISA in the new cybersecurity certification framework to assist Member States in effectively responding to cyber-attacks with a greater role in cooperation and coordination at Union level.
In addition, ENISA will help increase cybersecurity capabilities at EU level and support capacity building and preparedness. Finally, ENISA will be an independent centre of expertise that will help promote high level of awareness of citizens and businesses but also assist EU Institutions and Member States in policy development and implementation.
The Cybersecurity Act also creates a framework for European Cybersecurity Certificates for products, processes and services that will be valid throughout the EU. This is a ground breaking development as it is the first internal market law that takes up the challenge of enhancing the security of connected products, Internet of Things devices as well as critical infrastructure through such certificates. The creation of such a cybersecurity certification framework incorporates security features in the early stages of their technical design and development (security by design). It also enables their users to ascertain the level of security assurance, and ensures that these security features are independently verified.
Benefits for citizens and businesses
The new rules will help people trust the devices they use every day because they can choose between products, like Internet of Things devices, which are cyber secure.
The certification framework will be a one-stop shop for cybersecurity certification, resulting in significant cost saving for enterprises, especially SMEs that would have otherwise had to apply for several certificates in several countries. A single certification will also remove potential market-entry barriers. Moreover, companies are incentivized to invest in the cybersecurity of their products and turn this into a competitive advantage.
Following tonight’s political agreement, the new regulation will have to be formally approved by the European Parliament and the Council of the EU. It will then be published in the EU Official Journal and will officially enter into force immediately, thus paving the way for European certification schemes to be produced and for the EU Agency for Cybersecurity, ENISA, to start working on the basis of this focused and permanent mandate.
The Cybersecurity Act was proposed as part of the Cybersecurity package adopted on 13 September 2017, and as one of the priorities of the Digital Single Market strategy. To keep up with the ever-evolving cyber threats, the Commission also proposed, one year later in September 2018, to create a European Cybersecurity Industrial, Technology and Research Centre and a network of Cybersecurity Competence Centres to better target and coordinate available funding for cybersecurity cooperation, research and innovation. The proposed European Cybersecurity Competence Centre will manage cybersecurity-related financial support from the EU’s budget and facilitate joint investment by the Union, Member States and industry to boost the EU’s cybersecurity industry and make sure our defense systems are state-of-the-art.
For More Information
|European Commission – Press release
State of the Union 2017 – Cybersecurity: Commission scales up EU’s response to cyber-attacks
Brussels, 19 September 2017
On 13 September, in his annual State of the Union Address, President Jean-Claude Juncker stated: “In the past three years, we have made progress in keeping Europeans safe online. But Europe is still not well equipped when it comes to cyber-attacks. This is why, today, the Commission is proposing new tools, including a European Cybersecurity Agency, to help defend us against such attacks.”
Europeans place great trust in digital technologies. They open up new opportunities for citizens to connect, facilitate the dissemination of information and form the backbone of Europe’s economy. However, they have also brought about new risks as non-state and state actors increasingly try to steal data, commit fraud or even destabilise governments. Last year, there were more than 4,000 ransomware attacks per day and 80% of European companies experienced at least one cybersecurity incident. The economic impact of cyber-crime has risen five-fold over the past four years alone.
To equip Europe with the right tools to deal with cyber-attacks, the European Commission and the High Representative are proposing a wide-ranging set of measures to build strong cybersecurity in the EU. This includes a proposal for an EU Cybersecurity Agencyto assist Member States in dealing with cyber-attacks, as well as a new European certification scheme that will ensure that products and services in the digital world are safe to use.
Federica Mogherini, High Representative/Vice-President, said: “The EU will pursue an international cyber policy promoting an open, free and secure cyberspace as well as support efforts to develop norms of responsible state behaviour, apply international law and confidence building measures in cybersecurity.”
Andrus Ansip, Vice-President for the Digital Single Market, said: “No country can face cybersecurity challenges alone. Our initiatives strengthen cooperation so that EU countries can tackle these challenges together. We also propose new measures to boost investment in innovation and promote cyberhygiene”
Julian King, Commissioner for the Security Union, said: “We need to work together to build our resilience, to drive technological innovation, to boost deterrence, reinforcing traceability and accountability, and harness international cooperation, to promote our collective cybersecurity.”
Mariya Gabriel, Commissioner for the Digital Economy and Society, said: “We need to build on the trust of our citizens and businesses in the digital world, especially at a time when large-scale cyber-attacks are becoming more and more common. I want high cybersecurity standards to become the new competitive advantage of our companies.”
With recent ransomware attacks, a dramatic rise in cyber-criminal activity, the increasing use of cyber tools by state actors to meet their geopolitical goals and the diversification of cybersecurity incidents, the EU needs to build a stronger resilience to cyber-attacks and create an effective EU cyber deterrence and criminal law response to better protect Europe’s citizens, businesses and public institutions. This is what today’s Cybersecurity Package is about.
Building EU resilience: A strong EU Cybersecurity Agency
An EU Cybersecurity Agency: Building on the existing European Agency for Network and Information Security (ENISA), the Agency will be given a permanent mandate to assist Member States in effectively preventing and responding to cyber-attacks. It will improve the EU’s preparedness to react by organising yearly pan-European cybersecurity exercises and by ensuring better sharing of threat intelligence and knowledge through the setting up of Information Sharing and Analyses Centres. It will help implement the Directive on the Security of Network and Information Systems which contains reporting obligations to national authorities in case of serious incidents.
The Cybersecurity Agency would also help put in place and implement the EU-wide certification framework that the Commission is proposing to ensure that products and services are cyber secure. Just as consumers can trust what they eat thanks to EU food labels, new European cybersecurity certificates will ensure the trustworthiness of the billions of devices (“Internet of Things”) which drive today’s critical infrastructures, such as energy and transport networks, but also new consumer devices, such as connected cars. Cybersecurity certificates will be recognised across Member States, thereby cutting down on the administrative burden and costs for companies.
Stepping up the EU’s cybersecurity capacity
It is in the EU’s strategic interest to ensure that the technological tools of cybersecurity are developed in a way that allows the digital economy to flourish, while also protecting our security, society and democracy. This includes the protection of critical hardware and software. To reinforce the EU’s cybersecurity capacity, the Commission and the High Representative are proposing:
- A European Cybersecurity Research and Competence Centre (pilot to be set up in the course of 2018). Working with Member States, it will help develop and roll out the tools and technology needed to keep up with an ever-changing threat and make sure our defences are as state-of-the-art as the weapons that cyber-criminals use. It will complement capacity-building efforts in this area at EU and national level.
- A Blueprint for how Europe and Member States can respond quickly, operationally and in unison when a large-scale cyber-attack strikes. The proposed procedure is laid down in a Recommendation adopted last week. The Recommendation also asks Member States and EU institutions to establish an EU Cybersecurity Crisis Response Framework to make the Blueprint operational. It will regularly be tested in cyber and other crisis management exercises.
- More solidarity: In the future, the possibility of a new Cybersecurity Emergency Response Fund could be considered for those Member States that have responsibly implemented all the cybersecurity measures required under EU law. The Fund could provide emergency support to help Member States – just as the EU’s Civil Protection Mechanism is used to help with cases of forest fires or natural disasters.
- Stronger cyber defence capabilities: Member States are encouraged to include cyber defence within the Framework of Permanent Structured Cooperation (PESCO) and the European Defence Fund to support cyber defence projects. The European Cybersecurity Research and Competence Centre could also be further developed with a cyber defence dimension. To address the skills gap in cyber defence, the EU will create a cyber defence training and education platform in 2018. The EU and NATO will together foster cyber defence research and innovation cooperation. Cooperation with NATO, including participation in parallel and coordinated exercises, will be deepened.
- Enhanced international cooperation: The EU will strengthen its response to cyber-attacks by implementing the Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities, supporting a strategic framework for conflict prevention and stability in cyberspace. This will be coupled with new cyber capacity building efforts to assist third countries to address cyber threats.
Creating an effective criminal law response
A more effective law enforcement response focusing on detection, traceability and the prosecution of cyber criminals is central to building an effective disincentive to commit such crimes. The Commission is therefore proposing to boost deterrence through new measures to combat fraud and the counterfeiting of non-cash means of payment.
The proposed Directive will strengthen the ability of law enforcement authorities to tackle this form of crime by expanding the scope of the offences related to information systems to all payment transactions, including transactions through virtual currencies. The law will also introduce common rules on the level of penalties and clarify the scope of Member States’ jurisdiction in such offences.
To step up effective investigation and prosecution of cyber-enabled crime, the Commission will also present proposals to facilitate cross-border access to electronic evidence in the beginning of 2018. In addition, by October, the Commission will present its reflections on the role of encryption in criminal investigations.
Recent figures show that digital threats are evolving fast and that the public perceives cyber-crime as an important threat: Whilst ransomware attacks have increased by 300% since 2015, the economic impact of cyber-crime rose fivefold from 2013 to 2017, and could further rise by a factor of four by 2019, studies suggests. 87% of Europeans regard cyber-crime as an important challenge to the EU’s internal security
The European Agenda on Securityand the Mid-term review of the Digital Single Market Strategyguide the Commission’s work in this area, setting out the main actions for boosting cybersecurity. The measures proposed today complement already existing rules and fill the gaps where the threat landscape has evolved since the adoption of the 2013 EU Cybersecurity Strategy, delivering on the key priority to support Member States in ensuring internal security under the Bratislava Declaration and Roadmap.
For More Information
 For example, the cost for smart meter certification in the UK and France is around €150,000.